ory / kratos

The most scalable and customizable identity server on the market. Replace your Homegrown, Auth0, Okta, Firebase with better UX and DX. Has all the tablestakes: Passkeys, Social Sign In, Multi-Factor Auth, SMS, SAML, TOTP, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=kratos
Apache License 2.0
11.34k stars 964 forks source link

If user sits on Account-Experience login page, they get a login flow expired error #4097

Open calebgrollins opened 2 months ago

calebgrollins commented 2 months ago

Preflight checklist

Ory Network Project

No response

Describe the bug

After a user sits on the default account experience login page for about 30 minutes and then tries to login, they get an error that their login flow is expired. Ideally, the “flow expired” error should just redirect to a new flow in browser contexts.

Reproducing the bug

  1. Open account experience login page
  2. Wait ~30 minutes (or whatever your lifespan is set to for login flows)
  3. Try to login At this point the user will see an error that their login flow is expired

Relevant log output

No response

Relevant configuration

No response

Version

Ory Network

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

OskarsPakers commented 2 months ago

What would be the expected behaviour? I believe you can handle the error and tell user to start the flow from the beginning.

aeneasr commented 2 months ago

Isn‘t that what‘s happening? We show the error and the user starts again?

calebgrollins commented 2 months ago

I believe you can handle the error and tell user to start the flow from the beginning.

This is in the Ory Network Account-Experience, so we don't have control over that. I am not too familiar with the inner workings of all this so I am not sure if this is the on the kratos side or the Ory Network side. It was recommended to me to open a bug in this repo.

At the end of the day, the result we would expect to see is that another flow would be created transparently for the user or they would at least be redirected to something more friendly. End users shouldn't have to know or care about flows.

aeneasr commented 2 months ago

Ok, we will need to investigate.

aeneasr commented 2 months ago

I see - I worry that people misinterpret this as "it should return me there" which it does not. Maybe if it's documented properly that setting this is ineffective and purely informational?

calebgrollins commented 2 months ago

I see - I worry that people misinterpret this as "it should return me there" which it does not. Maybe if it's documented properly that setting this is ineffective and purely informational?

I'm not sure I follow. Setting what?

aeneasr commented 2 months ago

My bad, I made this comment in the wrong issue!